Do you really need cookie consents to be incorporated into your mobile applications? New enforcement of the CCPA by California attorney general involving mobile game developer emphasizes the need to honor the right to Opt-Out in mobile applications as well.

Key takeaways from the decision that apply to mobile app developers but also generally under CCPA:  

For CCPA Generally:

  • You need a compliant opt out link and method on your website. Simply referring to your privacy policy “cookies” section, is not enough.
  • Your notice of the right to opt out must request the minimal amount of personal information necessary to effectuate the consumer’s opt-out choice. (This is similar to the holding in the CalPrivacy decisions on Honda and Todd Snyder).  
  • You must provide a means by which the consumer can confirm that their request to opt-out of sale/sharing has been processed, for example by displaying on your website “Opt-Out Request Honored” and through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information, including within each application you make available.

For Mobile Apps:

  • If you “sell” or “share” personal information through trackers in your mobile application, you need to provide a compliant opt out link or setting within each app.
  • Where a consumer opt-outs through a mobile application, you must effectuate the consumer’s opt-out choice across all of your mobile applications for any personal information you associate with the consumer. 
  • The notice of the right to opt out  must be formatted and designed to fit and scale to the website or application where it is provided, without unnecessarily burdening a consumer’s ability to opt-out. 
  • You may use the same mechanism to effectuate the CCPA required opt-out and other choices related to the collection of personal information, provided such mechanism is presented in a clear and non-confusing manner consistent with the CCPA. For that, you must avoid language or design likely to confuse a reasonable consumer into believing that the other choice(s) (i) constitute a CCPA compliant opt-out method, or (ii) must also be selected to opt-out of selling or sharing. 

For Children’s Data: 

  • You should design age-screening mechanisms in a neutral manner that (1) does not default to age of 16 or above, and (2) does not suggest that certain features will not be available for consumer who identify as younger than 16 years of age. 
  • You should not collect personal information from consumer prior to collecting age information through the age-screen, except as permitted by law. 
  • If a consumer submits an age of less than 13 years through the age-screen, you should direct them to a child-version of the application.
  • If a consumer submits an age of at least 13 years and less than 16 years through the age screen, you should direct them to a child version of the application or alternatively, obtain the consumer’s affirmative authorization to sell or share personal information before directing them to the main application.